Attachment #208202 for bug #212817




	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \
		USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \
		PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \
		EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \
		MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \
		DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \
		INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\

			if bsd_chflags:
				self.features.add('chflags')

			if not portage.process.macossandbox_capable and \
				("macossandbox" in self.features or "macosusersandbox" in self.features):
				if self.profile_path is not None and \
					os.path.realpath(self.profile_path) == \
					os.path.realpath(PROFILE_PATH):
					""" Don't show this warning when running repoman and the
					sandbox feature came from a profile that doesn't belong to
					the user."""
					writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
						" binary. Disabling...\n\n"), noiselevel=-1)
				if "macossandbox" in self.features:
					self.features.remove("macossandbox")
				if "macosusersandbox" in self.features:
					self.features.remove("macosusersandbox")

			self["FEATURES"] = " ".join(sorted(self.features))
			self.backup_changes("FEATURES")
			global _glep_55_enabled, _validate_cache_for_unsupported_eapis

	# fake ownership/permissions will have to be converted to real
	# permissions in the merge phase.
	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
	macossandbox = ("macossandbox" in features or \
		"macosusersandbox" in features)
	if droppriv and not uid and portage_gid and portage_uid:
		keywords.update({"uid":portage_uid,"gid":portage_gid,
			"groups":userpriv_groups,"umask":002})
	if not free:
		free=((droppriv and "usersandbox" not in features and
			"macosusersandbox" not in features) or \
			(not droppriv and "sandbox" not in features and \
			"usersandbox" not in features and not fakeroot and \
			not macossandbox))

	# confining the process to a prefix sandbox is disabled by default, if
	# a normal sandbox is requested a this point, it will be used, if no
	# sandbox is requested, a prefix sandbox will be imposed if requested
	# by the appropriate features
	prefixsandbox = False
	if free:
		prefixsandbox = "macosprefixsandbox" in features
		free = not prefixsandbox

	if free or "SANDBOX_ACTIVE" in os.environ:
		keywords["opt_name"] += " bash"

		keywords["opt_name"] += " fakeroot"
		keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
		spawn_func = portage.process.spawn_fakeroot
	elif macossandbox:
		keywords["opt_name"] += " macossandbox"
		if prefixsandbox:
			sbprefixpath = mysettings["EPREFIX"]
		else:
			sbprefixpath = mysettings["PORTAGE_BUILDDIR"]

		# escape some characters with special meaning in re's
		sbprefixre = sbprefixpath.replace("+", "\+")
		sbprefixre = sbprefixre.replace("*", "\*")
		sbprefixre = sbprefixre.replace("[", "\[")
		sbprefixre = sbprefixre.replace("[", "\[")

		sbprofile = MACOSSANDBOX_PROFILE
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)

		keywords["profile"] = sbprofile
		spawn_func = portage.process.spawn_macossandbox
	else:
		keywords["opt_name"] += " sandbox"
		spawn_func = portage.process.spawn_sandbox

		restrict = mysettings["PORTAGE_RESTRICT"].split()
		nosandbox = (("userpriv" in features) and \
			("usersandbox" not in features) and \
			("macosusersandbox" not in features) and \
			"userpriv" not in restrict and \
			"nouserpriv" not in restrict)
		if nosandbox and ("userpriv" not in features or \
			"userpriv" in restrict or \
			"nouserpriv" in restrict):
			nosandbox = ("sandbox" not in features and \
				"usersandbox" not in features and \
				"macosusersandbox" not in features)

		sesandbox = mysettings.selinux_enabled() and \
			"sesandbox" in mysettings.features




BASH_BINARY              = PORTAGE_BASH
MOVE_BINARY              = PORTAGE_MV
PRELINK_BINARY           = EPREFIX + "/usr/sbin/prelink"
MACOSSANDBOX_BINARY     = "/usr/bin/sandbox-exec"
MACOSSANDBOX_PROFILE    = '''(version 1)

(allow default)

(deny file-write*)

(allow file-read* file-write*
  (literal
    #"@@WRITEABLE_PREFIX@@"
  )

  (regex
    #"^@@WRITEABLE_PREFIX_RE@@/"
    #"^(/private)?/var/tmp"
    #"^(/private)?/tmp"
  )
)

(allow file-read-data file-write-data
  (regex
    #"^/dev/null$"
    #"^(/private)?/var/run/syslog$"
  )
)'''

INVALID_ENV_FILE         = "/etc/spork/is/not/valid/profile.env"
REPO_NAME_FILE           = "repo_name"

Lines 17-23 Link Here

(-)prefix-portage-2.2.00.14200//pym/portage/process.py.msb (-1 / +17 lines)
17	'portage.util:dump_traceback',	17	'portage.util:dump_traceback',
18	)	18	)
19		19
20	from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY	20	from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY
21	from portage.exception import CommandNotFound	21	from portage.exception import CommandNotFound
22		22
23	try:	23	try:
Lines 40-45 Link Here
40	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and	40	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and
41	os.access(FAKEROOT_BINARY, os.X_OK))	41	os.access(FAKEROOT_BINARY, os.X_OK))
42		42
		43	macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and
		44	os.access(MACOSSANDBOX_BINARY, os.X_OK))
		45
43	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):	46	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):
44	"""	47	"""
45	Spawns a bash shell running a specific commands	48	Spawns a bash shell running a specific commands
Lines 89-94 Link Here
89	args.append(mycommand)	92	args.append(mycommand)
90	return spawn(args, opt_name=opt_name, **keywords)	93	return spawn(args, opt_name=opt_name, **keywords)
91		94
		95	def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords):
		96	if not macossandbox_capable:
		97	return spawn_bash(mycommand, opt_name=opt_name, **keywords)
		98	args=[MACOSSANDBOX_BINARY]
		99	if not opt_name:
		100	opt_name = os.path.basename(mycommand.split()[0])
		101	args.append("-p")
		102	args.append(profile)
		103	args.append(BASH_BINARY)
		104	args.append("-c")
		105	args.append(mycommand)
		106	return spawn(args, opt_name=opt_name, **keywords)
		107
92	_exithandlers = []	108	_exithandlers = []
93	def atexit_register(func, args, *kargs):	109	def atexit_register(func, args, *kargs):
94	"""Wrapper around atexit.register that is needed in order to track	110	"""Wrapper around atexit.register that is needed in order to track

Return to bug 212817

Lines 100-106 Link Here

(-)prefix-portage-2.2.00.14200//pym/portage/__init__.py.msb (-4 / +53 lines)
100	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \	100	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \
101	USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \	101	USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \
102	PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \	102	PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \
103	EBUILD_SH_BINARY, SANDBOX_BINARY, BASH_BINARY, \	103	EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \
104	MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \	104	MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \
105	DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \	105	DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \
106	INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\	106	INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\
Lines 2188-2193 Link Here
2188	if bsd_chflags:	2188	if bsd_chflags:
2189	self.features.add('chflags')	2189	self.features.add('chflags')
2190		2190
		2191	if not portage.process.macossandbox_capable and \
		2192	("macossandbox" in self.features or "macosusersandbox" in self.features):
		2193	if self.profile_path is not None and \
		2194	os.path.realpath(self.profile_path) == \
		2195	os.path.realpath(PROFILE_PATH):
		2196	""" Don't show this warning when running repoman and the
		2197	sandbox feature came from a profile that doesn't belong to
		2198	the user."""
		2199	writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
		2200	" binary. Disabling...\n\n"), noiselevel=-1)
		2201	if "macossandbox" in self.features:
		2202	self.features.remove("macossandbox")
		2203	if "macosusersandbox" in self.features:
		2204	self.features.remove("macosusersandbox")
		2205
2191	self["FEATURES"] = " ".join(sorted(self.features))	2206	self["FEATURES"] = " ".join(sorted(self.features))
2192	self.backup_changes("FEATURES")	2207	self.backup_changes("FEATURES")
2193	global _glep_55_enabled, _validate_cache_for_unsupported_eapis	2208	global _glep_55_enabled, _validate_cache_for_unsupported_eapis
Lines 3883-3895 Link Here
3883	# fake ownership/permissions will have to be converted to real	3898	# fake ownership/permissions will have to be converted to real
3884	# permissions in the merge phase.	3899	# permissions in the merge phase.
3885	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable	3900	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
		3901	macossandbox = ("macossandbox" in features or \
		3902	"macosusersandbox" in features)
3886	if droppriv and not uid and portage_gid and portage_uid:	3903	if droppriv and not uid and portage_gid and portage_uid:
3887	keywords.update({"uid":portage_uid,"gid":portage_gid,	3904	keywords.update({"uid":portage_uid,"gid":portage_gid,
3888	"groups":userpriv_groups,"umask":002})	3905	"groups":userpriv_groups,"umask":002})
3889	if not free:	3906	if not free:
3890	free=((droppriv and "usersandbox" not in features) or \	3907	free=((droppriv and "usersandbox" not in features and
		3908	"macosusersandbox" not in features) or \
3891	(not droppriv and "sandbox" not in features and \	3909	(not droppriv and "sandbox" not in features and \
3892	"usersandbox" not in features and not fakeroot))	3910	"usersandbox" not in features and not fakeroot and \
		3911	not macossandbox))
		3912
		3913	# confining the process to a prefix sandbox is disabled by default, if
		3914	# a normal sandbox is requested a this point, it will be used, if no
		3915	# sandbox is requested, a prefix sandbox will be imposed if requested
		3916	# by the appropriate features
		3917	prefixsandbox = False
		3918	if free:
		3919	prefixsandbox = "macosprefixsandbox" in features
		3920	free = not prefixsandbox
3893		3921
3894	if free or "SANDBOX_ACTIVE" in os.environ:	3922	if free or "SANDBOX_ACTIVE" in os.environ:
3895	keywords["opt_name"] += " bash"	3923	keywords["opt_name"] += " bash"
Lines 3898-3903 Link Here
3898	keywords["opt_name"] += " fakeroot"	3926	keywords["opt_name"] += " fakeroot"
3899	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")	3927	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
3900	spawn_func = portage.process.spawn_fakeroot	3928	spawn_func = portage.process.spawn_fakeroot
		3929	elif macossandbox:
		3930	keywords["opt_name"] += " macossandbox"
		3931	if prefixsandbox:
		3932	sbprefixpath = mysettings["EPREFIX"]
		3933	else:
		3934	sbprefixpath = mysettings["PORTAGE_BUILDDIR"]
		3935
		3936	# escape some characters with special meaning in re's
		3937	sbprefixre = sbprefixpath.replace("+", "\+")
		3938	sbprefixre = sbprefixre.replace("", "\")
		3939	sbprefixre = sbprefixre.replace("[", "\[")
		3940	sbprefixre = sbprefixre.replace("[", "\[")
		3941
		3942	sbprofile = MACOSSANDBOX_PROFILE
		3943	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		3944	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
		3945
		3946	keywords["profile"] = sbprofile
		3947	spawn_func = portage.process.spawn_macossandbox
3901	else:	3948	else:
3902	keywords["opt_name"] += " sandbox"	3949	keywords["opt_name"] += " sandbox"
3903	spawn_func = portage.process.spawn_sandbox	3950	spawn_func = portage.process.spawn_sandbox
Lines 6996-7008 Link Here
6996	restrict = mysettings["PORTAGE_RESTRICT"].split()	7043	restrict = mysettings["PORTAGE_RESTRICT"].split()
6997	nosandbox = (("userpriv" in features) and \	7044	nosandbox = (("userpriv" in features) and \
6998	("usersandbox" not in features) and \	7045	("usersandbox" not in features) and \
		7046	("macosusersandbox" not in features) and \
6999	"userpriv" not in restrict and \	7047	"userpriv" not in restrict and \
7000	"nouserpriv" not in restrict)	7048	"nouserpriv" not in restrict)
7001	if nosandbox and ("userpriv" not in features or \	7049	if nosandbox and ("userpriv" not in features or \
7002	"userpriv" in restrict or \	7050	"userpriv" in restrict or \
7003	"nouserpriv" in restrict):	7051	"nouserpriv" in restrict):
7004	nosandbox = ("sandbox" not in features and \	7052	nosandbox = ("sandbox" not in features and \
7005	"usersandbox" not in features)	7053	"usersandbox" not in features and \
		7054	"macosusersandbox" not in features)
7006		7055
7007	sesandbox = mysettings.selinux_enabled() and \	7056	sesandbox = mysettings.selinux_enabled() and \
7008	"sesandbox" in mysettings.features	7057	"sesandbox" in mysettings.features

Lines 78-83 Link Here

(-)prefix-portage-2.2.00.14200//pym/portage/const.py.msb (+25 lines)
78	BASH_BINARY = PORTAGE_BASH	78	BASH_BINARY = PORTAGE_BASH
79	MOVE_BINARY = PORTAGE_MV	79	MOVE_BINARY = PORTAGE_MV
80	PRELINK_BINARY = EPREFIX + "/usr/sbin/prelink"	80	PRELINK_BINARY = EPREFIX + "/usr/sbin/prelink"
		81	MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec"
		82	MACOSSANDBOX_PROFILE = '''(version 1)
		83
		84	(allow default)
		85
		86	(deny file-write*)
		87
		88	(allow file-read* file-write*
		89	(literal
		90	#"@@WRITEABLE_PREFIX@@"
		91	)
		92
		93	(regex
		94	#"^@@WRITEABLE_PREFIX_RE@@/"
		95	#"^(/private)?/var/tmp"
		96	#"^(/private)?/tmp"
		97	)
		98	)
		99
		100	(allow file-read-data file-write-data
		101	(regex
		102	#"^/dev/null$"
		103	#"^(/private)?/var/run/syslog$"
		104	)
		105	)'''
81		106
82	INVALID_ENV_FILE = "/etc/spork/is/not/valid/profile.env"	107	INVALID_ENV_FILE = "/etc/spork/is/not/valid/profile.env"
83	REPO_NAME_FILE = "repo_name"	108	REPO_NAME_FILE = "repo_name"